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SEAMLESS AND AUTHENTICATED TRANSFER OF A USER FROM 
AN E-BUSINESS WEBSITE TO AN AFFILIATED E-BUSINESS 
WEBSITE 

Reservation of Copyright 

[0001] This patent document contains information subject to copyright protection. 
The copyright owner has no objection to the facsimile reproduction by anyone of the patent 
document or the patent, as it appears in the U.S. Patent and Trademark Office files or records 
but otherwise reserves all copyright rights whatsoever. 

BACKGROUND 

[0002] Aspects of the present invention relate to Internet. Other aspects of the present 
invention relate to World Wide Web applications. 

[0003] With the rapid advancement of the Internet, more and more companies develop 
web sites to advertise, to sale, and to provide services to their products. Users can log onto 
the web site of a company, browsing different lines of products that the company offers to 
sale, and examining various kinds of information related to the products. For example, by 
connecting to, for example, the web site of Dell Corporation, a user can gather not only the 
description and price of a Dell computer but also detailed technical specifications of the same. 
In addition, a company's web site may also provide links to the web sites of other affiliated 
companies for information related to the company' s products. For example, the web site of 
Dell Corporation may have links to a web site of Intel Corporation, which may provide 
detailed information about various computer chips that are produced by Intel and used to 
build Dell computers. 
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[0004] Presently, each time when a user follows a link from one web site to a different 
web site, the user may be required to log in again at the transferred web site. For example, if 
a web site hosted by Dell Corporation provides customer services to its computer purchasers, 
it may require a customer to log in to obtain the services. During the login, the customer may 
be required to provide information such as user's identification, user's password, user's 
product serial number, etc. The Dell's web site may provide links to various web pages at a 
web site hosted by Intel Corporation (which is external to Dell). When a Dell customer 
follows, after log in at the Dell's web site, a link to get to an Intel web page, the customer is 
required to log in again. Furthermore, if the Intel web page also provides links to other web 
sites, the customer may be asked to log in many times. This repetitive log in processes may 
discourage a customer. In addition, it diminishes the usefulness and the efficiency that 
hyperlinks in a web page can provide. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0005] The present invention is further described in terms of exemplary embodiments, 
which will be described in detail with reference to the drawings. These embodiments are non- 
limiting exemplary embodiments, in which like reference numerals represent similar parts 
throughout the several views of the drawings, and wherein: 

[0006] Fig. 1 depicts a high-level architecture of a mechanism, which allows a main 
web site to transfer a user to an affiliated web site in a seamless and authenticated manner, 
according to embodiments of the present invention; 
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[0007] Fig. 2 is an exemplary flowchart of a process, in which a user is transferred 
from a main web site to an affiliated web site in a seamless and authenticated manner, 
according to embodiments of the present invention; 

[0008] Fig. 3 depicts an exemplary internal structure of a main web site that facilitates 
seamless and authenticated transfer of a user to an affiliated web site, according to 
embodiments of the present invention; 

[0009] Fig. 4 shows an exemplary construct of a ticket which is used to transfer a user 
from a main web site to an affiliated web site, according to an embodiment of the present 
invention; 

[0010] Fig. 5 depicts an exemplary internal structure of an affiliated web site that 
facilitates seamless and authenticated transfer of a user from a main web site, according to 
embodiments of the present invention; 

[0011] Fig. 6 is an exemplary flowchart of a process, in which a main web site 
transfers a user to an affiliated web site using a ticket, according to embodiments of the 
present invention; 

[0012] Fig. 7 is an exemplary flowchart of a process, in which a ticket for transferring 
a user from a main web site to an affiliated web site is constructed and encoded, according to 
an embodiment of the present invention; and 

[0013] Fig. 8 is an exemplary flowchart of a process, in which an affiliated web site 
accepts a transferred user by automatically authenticating a ticket and registering the user, 
according to an embodiment of the present invention. 

DETAILED DESCRIPTION 
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[0014] The invention is described below, with reference to detailed illustrative 
embodiments. It will be apparent that the invention can be embodied in a wide variety of 
forms, some of which may be quite different from those of the disclosed embodiments. 
Consequently, the specific structural and functional details disclosed herein are merely 
representative and do not limit the scope of the invention. 

[0015] The processing described below may be performed by a properly programmed 
general-purpose computer alone or in connection with a special purpose computer. Such 
processing may be performed by a single platform or by a distributed processing platform. In 
addition, such processing and functionality can be implemented in the form of special purpose 
hardware or in the form of software being run by a general-purpose computer. Any data 
handled in such processing or created as a result of such processing can be stored in any 
memory as is conventional in the art. By way of example, such data may be stored in a 
temporary memory, such as in the RAM of a given computer system or subsystem. In 
addition, or in the alternative, such data may be stored in longer-term storage devices, for 
example, magnetic disks, rewritable optical disks, and so on. For purposes of the disclosure 
herein, a computer-readable media may comprise any form of data storage mechanism, 
including such existing memory technologies as well as hardware or circuit representations of 
such structures and of such data. 

[0016] Fig. 1 depicts a high-level architecture of a mechanism 100, which allows a 
main web site 150 to transfer a user 130 to an affiliated web site 160 in a seamless and 
authenticated manner, according to embodiments of the present invention. The user 130 
connects to a web site, either the main web site 150 or the affiliated web site 160, via a 
browser 1 20. The user 1 30 and the browser 1 20 together represent a web client 110. 
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[0017] In mechanism 100, the user 130 connects to the main web site 150 first. Upon 

receiving a connection request from the user 130 via the browser 120, the main web site 150 

may authenticate the user 130. Once the connection is established, the main web site 1 50 

advises the user 130 about an available service offered at the affiliated web site 160 by issuing 

a ticket 135, comprising a digital signature and information related to the user 130, to the user 

130. The user 130 may then determine to utilize the available service at the affiliated web site 

160 and connect to the affiliated web site 160 using the ticket 135. Upon receiveing the 

ticket 135, the affiliated web site 160 may authenticate the digital signature of the ticket 135 

prior to registering the user 130 at the affiliated web site 160. 

[0018] The main web site 150 represents a generic web site, which may provide 

online services to users. The main web site 150 is affiliated with one or more web sites (only 

one affiliated web site is shown in Fig. 1) that may offer additional and relevant online 

services. For example, the main web site 1 5 0 may correspond to a service web site of a 

corporation (e.g., Dell Corporation) and it may have links or references to service web sites of 

other corporations (e.g., Intel Corporation) that are external to the hosting environment of the 

main web site 150. 

[0019] The affiliated web site 160 also represents a generic web site, which provides 
online services to users, who may connect to the affiliated web site 160 either independently 
or through a link or a reference initiated at the main web site 150. Similarly, the services 
offered by the affiliated web site maybe independently provided to users or may be provided 
as additional services that are relevant to the services provided at the main web site 150. For 
instance, a web site hosted by Dell Corporation that provides technical support to its computer 
purchasers may have a link to another web site, hosted by Intel Corporation, that provides 
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technical support to users who may have questions about the Intel chips used in Dell 
computers. In this case, the web site hosted at Dell Corporation is a main web site and the 
web site hosted by Intel Corporation is an affiliated web site. 

[0020] The main web site 150, upon receiving a request from the user 130 to logon, 
may first perform necessary authentication of the user 130. The user 130 may be a new or an 
existing user of the main web site 150. When it is a new user, information about a new user 
may be collected during the initial registration and the collected information may be stored at 
the main web site 150 for future authentication purposes. Examples of such information 
include user's identification and user's preferences such as language preference. During an 
initial registration process, the main web site 150 may also assign certain privilege terms to 
the user. 

[0021] If the user 130 is an existing user, the main web site 150 may perform 
authentication against pre-stored information related to the user 130. Such pre-stored 
information may include verification of the user's password, product serial number, or the 
user's privilege. For example, based on the pre-stored information related to the user 130, 
the main web site 150 may verify the password of the user or whether the user 130 has the 
privilege for the requested service. The verification process may also determine how the 
main web site 1 50 can server the user 130. For example, a user's language preference may 
be used to control how a web page is to be rendered. 

[0022] During a connected browsing session with the user 130, the main web site 150 
may advise the user 130 about an available service offered at the affiliated web site 160. This 
may be achieved by providing a link or reference to the affiliated web site 160, wherein the 
link may be implemented to appear on a linking page specifically designed to advertise the 
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available service. Through this link, the user 130 may choose to utilize the available 
service. To facilitate the user's request to utilize the available service, the main web site 150 
issues a ticket that allows the user to enter the affiliated web site directly without having to 
manually logon to the affiliated web site 160. 

[0023] The ticket 135 may represent a collection of information necessary to 
automatically authenticate and register the user 1 30 at the affiliated web site 160. For 
example, it may comprise a digital signature and the information related to the user such as 
the user's identification, the user's preference information, or the user's privilege information. 
A digital signature may be used to signify a trusted source of reference. For example, from a 
digital signature of a ticket, the source of the ticket may be recognized. In mechanism 100, a 
digital signature of the ticket 130 may be the signature of the main web site 150 or a digital 
signature generated with a user-specific key held at the main web site 150 or it may comprise 
both. 

[0024] The ticket 135 contains sufficient information to authenticate the user 130 at 
the affiliated web site 160. The ticket 135 contains the user's identification and the digital 
signature verifies that the main web site 130 has already authenticated the user's identity. 
That is, through the ticket 135, the affiliated web site 160 can extract useful information such 
as user's identification and password, that is necessary to authenticate the user 130. Other 
types of information may also be included in the ticket 135. For example, user's preferences 
(e.g., preferred language used to display a web page) and user's privileges (e.g., specifying 
the level of service subscribed) may be included so that the affiliated web site 1 60 can utilize 
such information to render available services accordingly. 
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[0025] Fig. 2 is an exemplary flowchart of a process, in which a user 130 is 
transferred from a main web site 150 to an affiliated web site 160 in a seamless and 
authenticated manner, according to embodiments of the present invention. The user 130 first 
registers at the main web site 150 at act 210. Upon registering the user 130, the main web site 
150 generates, at act 220, a linking page that is then applied, at act 230, to advise the user 130 
about an available service offered at the affiliated web site 160. 

[0026] When the user 130 chooses, at act 240, the available service, the main web site 
150 issues, at act 250, a ticket to the user 130. Using the ticket issued from the main web site 
150, the user 130 requests, at act 260, the available service. When the affiliated web site 160 
receives the request, it verifies, at act 270, the authenticity of the ticket. Once the ticket is 
authenticated, the affiliated web site 160 provides, at act 280, the available service to the user 
130. 

[0027] Fig. 3 depicts an exemplary internal structure of the main web site 150 that 
facilitates seamless and authenticated transfer of a user to the affiliated web site 160, 
according to embodiments of the present invention. The main web site 150 comprises a 
plurality of web pages 305, a user registration mechanism 310, an online service mechanism 
307, a linking page generation mechanism 330, a service transfer mechanism 355, a signing 
key 340, and a secure socket layer 380. The user registration mechanism 310 registers a user 
who requests a service at the main web site 1 50. Necessary authentication may be performed 
as part of the registration. Once the user is registered, the online service mechanism 307 
provides services to the user by, for example, displaying web pages 305. During the service, 
the linking page generation mechanism 330 generates a linking page with a link to an 
available service at the affiliated web site 160. The linking page is subsequently used by the 
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online service mechanism 307 to advertise an available service. If the user choose to use the 
available service by activating the link, the main web site 150 issues a ticket for transferring 
the user to the affiliated web site 160. 

[0028] The user registration mechanism 310 comprises a user information database 
325 , an authentication mechanism 3 1 5, and a registration mechanism 320. The user 
information database 325 stores information about users of the main web site 150. Such 
information may include user's identification, user's password, user's preferences, and user's 
access privileges and can be retrieved for different purposes. For example, a user's password 
may be retrieved for authenticating the user. User's language preference may be obtained 
from the user information database 325 to determine how the online service mechanism 307 
should render a web page. User's privileges may be used to restrict the access of certain web 
pages, corresponding to certain services, at the main web site 150. 

[0029] The authentication mechanism 315 authenticates a user. Authentication may 
be performed according to the information stored in the user information database 325, if the 
user 1 30 is an existing user. In this case, information related to the user may be retrieved 
based on user's identification (e.g., login name) and the retrieved information includes the 
information (e.g., password) to be used to authenticate the user 1 30. Once the user 1 30 is 
authenticated, the registration mechanism 320 may proceed to register the user 130. 
Registering an existing user may include recording the current request and updating the user 
information database if the current information related to the user 130 is different from the 
information related to the user 130 presently stored in the user information database 325. 

[0030] If the user is a new user (e.g., the user's identification can not be found in the 
user information database 325), the registration mechanism 320 maybe invoked directly to 
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register the new user. In this case, the registration mechanism 320 may acquire necessary 
information from the new user, which may include the user's chosen password. Other types 
of information related to the user may also be acquired such as desired services and the user's 
preferences in terms of how services may be rendered (e.g., preferred language used to 
display web pages when services are offered). The acquired user's information may then be 
stored in the user information database 325 . The stored information may be properly 
indexed (e.g., according to user's identification) so that when needed, the information may be 
retrieved efficiently. 

[0031] The web pages 305 may constitute the display content of the services offered at 
the main web site 150. The online service mechanism 307 may render the web pages 305 
according to the user's preferences such as a particular language preference. During the 
process of servicing the user, the main web site 150 may, at appropriate point, advise the user 
130 about an available service (or available services) offered at the affiliated web site 160. 
To facilitate that, the linking page generation mechanism 330 generates a linking page 335 
which contains a link 337 through which the user may connect directly to the affiliated web 
site 160. 

[0032] The link 337 may be implemented as a universal resource locator (URL) 
address, representing the location of the affiliated web site 1 60. If interested in the available 
service, the user may simply click on the link 337 to connect to the available service. The 
link 337 may be associated with the ticket 135, which maybe designed to facilitate a seamless 
service transfer. The ticket is generated by the service transfer mechanism 350, which, as 
depicted in Fig. 3, comprises a ticket issuing mechanism 360, a ticket encoding mechanism 
365, and a ticket signing mechanism 370. 
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[0033] The ticket issuing mechanism 360 generates the ticket 135. The ticket 135 
represents a transfer authorization and it may contain different types of information needed 
for the affiliated web site 160 to perform authentication and registration. In Fig. 4, an 
exemplary construct of a ticket is shown. The ticket 135 includes user's identification 410, 
user's preferences 430, user's privileges 440, a timestamp 450, and a digital signature 460. 
The user's identification 410 indicates to whom the ticket 135 is issued to. The digital 
signature 460 provides an assurance that the identity of the user has already been verified at 
the main web site 150. Basedon the trust relationship between the main web site 150 and the 
affiliated web site 160, and on the shared secret of the signing key 340 and the verifying key 
525, the affiliated web site 160 may automatically authenticate an existing user without 
prompting for a password or other authentication data. This streamlines the authentication 
process for an existing user. 

[0034] Other types of information (related to the user) incorporated in the ticket 135 
may also facilitate seamless and efficient services at the affiliated web site 160. For example, 
user's preferences 430, such as language preference 470 and advertisement preference 480, 
may be used by the affiliated web site 160 to determine how to render its services to the 
transferred user 1 30. Based on the language preference 470, services may be offered in a 
specified preferred language. Based on the advertisement preference 480, the affiliated web 
site 160 may select only those categories of advertisement that are consistent with the user's 
preferred advertisement and render such selected advertisement in web pages. 

[0035] When the ticket 135 is issued, the ticket issuing mechanism 360 may attach the 
timestamp 450 to the ticket 1 35 to specify the time by which the ticket is issued. The 
timestamp 450 may have different uses. For example, it may be used to determine the 
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validity of the ticket: the affiliated web site 160 may consider a ticket issued 30 minutes ago 
as invalid. The authentication criteria adopted at the affiliated web site 160 may be 
application dependent. Consequently, what types of information should be incorporated in 
the ticket 135 may also be determined based on the specific needs of underlying applications. 

[0036] The ticket signing mechanism 370 incorporates the digital signature 460 in the 
ticket 135. The digital signature 460 may be generated based on the signing key 340. The 
digital signature 460 may serve as a transfer authorization stamp placed by the main web site 
150 on the ticket 135 . The signing key 340 used to generate the digital signature 460 may 
correspond to the private key of a public/private key pair agreed between the main web site 
150 and the affiliated web site 160. With the digital signature 460, the affiliated web site 160 
can verify the authenticity of the ticket using the public key of the agreed public/private key 
pair so that to make sure that the underlying transfer through such a signed ticket is indeed 
issued from a valid affiliated web site. 

[0037] The ticket encoding mechanism 365 encodes the ticket 135. The encoding 
may include, for instance, organizing different types of information contained in the ticket 
according to some agreed structure. The ticket encoding mechanism 365 may also determine 
an appropriate means to transfer the ticket 135. For example, the ticket 135 may be coded as 
a parameter in the URL address corresponding to the link 337. Alternatively, the ticket 135 
may also be coded as part of an in-memory cookie. 

[0038] The ticket encoding mechanism 365 may select an encoding scheme, among 
possibly a plurality of supported encoding options, that is suitable for a specific transfer. 
That is, the ticket encoding mechanism 365 may determine an encoding scheme on-fly based 
on certain criteria. For example, the encoding scheme of incorporating the ticket 135 as part 
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of an in-memory cookie may be employed when the main web site 150 and the affiliated web 
site 160 are in the same domain. Alternatively, the encoding scheme of incorporating the 
ticket 135 as a parameter of a URL address may be employed when the main web site 150 and 
the affiliated web site 1 60 are not in the same domain. 

[00391 Fig- 5 depicts an exemplary internal structure of the affiliated web site 160 that 
facilitates a seamless and authenticated transfer of a user from the main web site 150, 
according to embodiments of the present invention. The affiliated web site 1 60 comprises a 
secure socket layer 505, a ticket authentication mechanism 510, a registration mechanism 550, 
an online service mechanism 555, and a plurality of web pages 545. The affiliated web site 
160 receives a transfer ticket 135 via the secure socket layer 505. Upon receiving the transfer 
ticket 135, the ticket authentication mechanism 510 verifies the authenticity of the ticket 135, 
decodes the ticket 135, and parses the ticket 135 to extract distinct types of information. The 
registration mechanism 550 then utilizes the user's information extracted from the ticket 135 
to automatically authenticate the transferred user. If the user is authenticated, the online 
service mechanism 555 renders online services through the web pages 545. 

[0040] The ticket authentication mechanism 510 comprises a ticket decoding 
mechanism 520, a signature authenticating mechanism 530, a verifying key 525, and a ticket 
parsing mechanism 540. The ticket decoding mechanism 520 first decodes the ticket 135. 
For example, if a ticket is encoded as a parameter in a URL address, the ticket decoding 
mechanism 520 identifies and extracts the ticket from the URL address. If a ticket is encoded 
as part of a cookie, the ticket decoding mechanism 520 identifies and extracts the ticket from 
the cookie. The extracted ticket contains different types of information such as digital 
signature, user's identification and password, or user's preferences. 
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[0041] Before the transferred user can be registered at the affiliated web site 160, the 
ticket 135 may need to be authenticated. That is, the affiliated web site 160 may need to 
make sure that the ticket is from a reliable source. To do so, the signature verifying 
mechanism 530 authenticates the digital signature of the ticket 135 using the verifying key 
525, which may correspond to the public key of a public/private key pair that is agreed 
between the main web site 1 50 and the affiliated web site 1 60. If the main web site 150 
issues the ticket 135 using the signing key 340, the affiliated web site 160 should be able to 
use the verifying key 525 to decode the digital signature. If the digital signature in the ticket 
135 can not be decoded using the verifying key 525, the ticket 135 may be from a different 
(may be fraudulent) source. 

[0042] After the ticket 135 is authenticated, the ticket parsing mechanism 540 parses 
the ticket and extracts different kinds of information contained in the ticket 135. As 
illustrated in Fig. 4, the ticket 135 may include different categories of information that are 
necessary and useful for the affiliated web site 160 to either authenticate the user or to 
appropriately render online services according to the information related to the user (e.g., 
language and advertisement preferences). The parsed information is fed to the registration 
mechanism 550. 

[0043] The registration mechanism 550 authenticates and registers, once 
authenticated, a user at the affiliated web site 160. The registration mechanism 550 may deal 
with both a transferred user and a user who logs on the affiliated web site 160 independently. 
The registration may be performed based on various kinds of information relevant to the user 
such as user's identification and user's preferences. For a user who logs on the affiliated site 
independently, information such as a password may also be used during the registration for, 
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for example, authentication purposes. As depicted in Fig. 5, the registration mechanism 550 
at the affiliated web site 160 includes a user status determiner 560, a new user registration 
mechanism 570, an existing user registration mechanism 580, and a user information database 
590. 

[0044] The user status determiner 560 examines whether a user is a new or an existing 
user. The user's identification extracted from the ticket 135 may be used to make the 
decision. For example, based on the extracted user's identification, the user status determiner 
560 may retrieve the corresponding user's information from the user information database 
590, using the user's identification as an index during the retrieval. If no information can be 
retrieved using the user's identification, it may indicate that the user is a new user. If 
information related to the same user can be retrieved from the user information database 590, 
it may indicate that the user is an existing user. If the current user is a new user, the user 
status determiner 560 may invoke the new user registration mechanism 570 to register the 
user at the affiliated web site 160. 

[0045] When the new user registration mechanism 570 is activated, it utilizes the 
information extracted from the ticket 135 to register the new user. This may include use of 
the user's identification as an index to store other types of user's information in the user 
information database 590. By doing so, such stored user's information may be retrieved in 
the future based on the user's identification. Information extracted from the ticket 135 may 
be stored in a structure with certain categories. For example, the user's preferences may be 
stored as personalized profile so that the affiliated web site 160 can appropriately personalize 
online services according to the user specified preferences. 
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[0046] If the transferred user is an existing user, the user status determiner 560 may 
further examine whether the current user's information is different from the user's 
information stored in the user information database 590. For example, it may examine 
whether the user currently has different preferences or whether the user's privileges have been 
changed (e.g., the main web site 1 50 may have recently upgraded the user's privileges). The 
user status determiner 560 may then invoke the existing user registration mechanism 580 to 
register the existing user with notification about the discrepancies between the current user 
information and stored user information. 

[0047] When the existing user authentication mechanism 580 is activated for a user 
with a valid ticket, it automatically authenticates the user 130 without further input. 

[0048] In the mechanism 100, the main web site 150 and the affiliated web site 160 
are associated with each other. Information about their common users stored in the user 
information database 325 at the main web site 150 and the user information database 590 at 
the affiliated web site 160 may need to be synchronized. Any discrepancy in user data may 
indicate that the two web sites are not synchronized. In this case, the existing user 
registration mechanism 580 may react accordingly. For example, it may update the user's 
information in the user information database 590 based on the information extracted from the 
ticket 135. Whether the affiliated web site 160 permits a transferred user with discrepancy 
to register may be implemented according to application needs. For example, if a transferred 
user has different privileges specified in the ticket 135 than in the user information database 
590, the existing user registration mechanism 570 may update the privileges in the user 
database 590 to match the ticket 135, ignore the privileges in the in the tocket 135 and only 
grant those privileges in the user information database 590, combine the two sets of privileges 
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in some way, or deny the user access to the site altogether. For applications where the user 
information database 590 is not updated from data in the ticket 135, a secure offline process 
may be used for direct synchronization between the user information database 325 at the main 
web site 150 and the user information database 590 at the affiliated web site 160. 

[0049] Discrepancies in other kinds of information, which although may not be 
considered as equally crucial, may also trigger the existing user registration mechanism 580 to 
update the user information database 590. Examples of such information includes user's 
preferences. Some discrepancies may not raise security issues. When such discrepancies are 
detected, they can be used to update the stored information so that the affiliated web site 160 
can serve the user in a consistent and effective fashion. 

[0050] The online service mechanism 555 is activated once the registration is 
completed. It provides the online services available at the affiliated web site 1 60 to the user 
and offers such services by displaying the web pages 545 in an appropriate form that is 
consistent with the user's preferences and privileges. 

[0051] Fig. 6 is an exemplary flowchart of a process, in which the main web site 150 
transfers the user 130 to the affiliated web site 160 using the ticket 135, according to 
embodiments of the present invention. A request is first received, at act 6 1 0, from the user 
130 to connect to the main web site 150. The main web site 150 then authenticates the user at 
act 620. Once the user is authenticated, the main web site 150 creates, at act 630, a link to the 
affiliated web site that hosts an available service and further constructs, at act 640, a linking 
page. The available service is advised, at act 650, to the user during the interaction between 
the user 130 and the main web site 150. 
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[0052] The user 130, upon receiving the linking page that advertises the available 
service offered at the affiliated web site 160, may select to connect to the affiliated web site 
1 60. The user 130 may make the selection by clicking on the link in the linking page. When 
the selection is received, at act 660, the main web site 150 issues a ticket 130, at act 670, 
representing an authorize a transfer, which is performed at act 670, of the user 130 from the 
main web site 150 to the affiliated web site 160. 

[00531 To generate a ticket, the service transfer mechanism 350 gathers various types 
of information to facilitate a seamless and authenticated transfer. Fig. 7 is an exemplary 
flowchart of a process, in which the ticket 135 authorizing a transfer of a user 130 at the main 
web site 150 to the affiliated web site 160 is constructed and encoded to facilitate a seamless 
and authenticated transfer, according to an embodiment of the present invention. The service 
transfer mechanism 350 first obtains, at act 710, the user's identification. Based on the user's 
identification, information related to the user is gathered, at act 720. Such information may 
include user's preferences and privileges. A timestamp is issued at act 730 to mark the time 
by which the ticket 135 is issued. 

[0054] To allow the affiliated web site 160 to authenticate the source of the ticket 135, 
the service transfer mechanism 350 generates, at act 740, a digital signature for the ticket 135. 
Based on the user's information, the timestamp, and the digital signature, the ticket 135 is 
constructed at act 750. To encode the ticket 135, it is examined, at act 760, whether the 
affiliated web site 1 60 is in the same domain as the main web site 150. If both web sites are 
within the same domain, the ticket 135 is encoded, at act 770, as part of an in-memory cookie. 
Otherwise, the ticket 135 is encoded, at act 780, as a parameter of the URL address linking to 
the affiliated web site 160. 
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[0055] Fig. 8 is an exemplary flowchart of a process, in which the affiliated web site 
160 provides online service to a user that is transferred from the main web site 150 in a 
seamless fashion, according to an embodiment of the present invention. The affiliated web 
site 160 receives, at act 810, an encoded ticket 135, which is then decoded at act 820. The 
digital signature of the ticket 1 35 is authenticated at act 830. If the ticket is verified from the 
main web site 150, the affiliated web site 160 further examines, at act 840, whether the 
transferred user corresponds to a new or an existing user. 

[0056] If the transferred user is a new user, the affiliated web site 160 opens, at act 
850, a new account for the user. The information about the user extracted from the ticket 135 
is then used to update the user information database 590 at the affiliated web site 1 60. If the 
transferred user corresponds to an existing user, the affiliated web site 160 further examines, 
at act 845, whether any relevant user's information has been changed. This is performed 
with respect to the existing user's information stored in the user information database 590. If 
discrepancies are detected, the user information database 590 is updated, at act 860, to 
incorporate the most recent information about the user. After the user is registered with 
updated information, the affiliated web site 160 provides, at act 870, the available service to 
the transferred user. 

[0057] While the invention has been described with reference to the certain illustrated 
embodiments, the words that have been used herein are words of description, rather than 
words of limitation. Changes may be made, within the purview of the appended claims, 
without departing from the scope and spirit of the invention in its aspects. Although the 
invention has been described herein with reference to particular structures, acts, and materials, 
the invention is not to be limited to the particulars disclosed, but rather extends to all 
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equivalent structures, acts, and, materials, such as are within the scope of the appended 
claims. 
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